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1 Specification 

2 

3 _ELE.CJRQNI C^ CASINO GAMING SYSTEM WITH IMPROVE D 

4 PLAY CAPACITY, AUTHENTICATION AND SECURITY 

6 ^ BACKGROUND OF THE INVENTION 

7 Field of the Invention 

8 This invention relates to microprocessor based gaming Systems used in 

9 gambling casinos. 
10 

1 1 Brief Description of the Prior Art 

1 2 Microprocessor based gaming systems are known which are used in gambling 

13 casinos to augment the traditional slot machine games (e.g. three reel single or multi- 

14 line games) and card games, such as poker and black jack. In a typical gaming 

15 system of this type, a microprocessor based system includes both hardware and 

16 software components to provide the game playing capabilities. The hardware 

17 components include a video display for displaying the game play, mechanical 

1 8 switches for enabling player selection of additional cards or game play choices, coin 

19 acceptors and detectors and the electronic components usually found in a 

20 microprocessor based system, such as random access memory (RAM), read only 

21 memory (ROM), a processor and one or more busses. The software components 

22 include the initialization software, credit and payout routines, the game image and 

23 rules data set, and a random number generator algorithm. In order to be acceptable 

24 for casino use, an electronic gaming system must provide both security and 

25 authentication for the software components. For this reason, gaming commissions 

26 have heretofore required that all software components of an electronic gaming system 

27 be stored in unalterable memory, which is typically an unalterable ROM. In addition, 

28 a copy of the contents of the ROM or a message digest of the contents (or both) are 

29 normally kept on file in a secure location designated by the gaming commission so 

30 that the contents of an individual ROM removed from a gaming machine can be 

3 1 verified against the custodial version. 

32 In a typical arrangement, a message digest of the ROM contents is initially 

33 generated prior to the installation of the ROM in the machine by using a known 
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1 algorithm usually referred to as a hash function. A hash function is a computation 

2 procedure that produces a fixed-size string of bits from a variable-size digital input. 

3 The fixed-sized string of bits is termed the hash value. If the hash function is 

4 difficult to invert « termed a one-way hash function ~ the hash function is also 

5 termed a message digest function, and the result is termed the message digest. The 

6 message digest is unique to any given variable size input data set, i.e., the game data 

7 set stored in the ROM. When it becomes necessary to later authenticate the ROM 

8 from any given machine, the ROM is physically removed from the game console and 

9 the message digest of the ROM contents is computed directly from the ROM using 

10 the original hash function. The computed message digest is compared with the 

1 1 message digest on file at the designated custodial location (typically in the casino 

12 itself). This procedure is typically carried out whenever a machine produces a payoff 

13 beyond a given threshold value. If the two message digests match, then the contents 

14 of the ROM are considered to be authenticated (verified) and the payout is made to 

15 the player. 

16 While such electronic casino gaming systems have been found to be useful 

17 in promoting casino game play, the restriction requiring that the casino game 

18 program be stored in unalterable ROM memory, leads to a number of 

19 disadvantageous limitations. First, due to the limited capacity of the ROM storage 

20 media traditionally used to hold the program, the scope of game play available with 

21 such systems is severely limited. For sophisticated games using motion video and 

22 audio multi-media elements, much more memory capacity, on the order of hundreds 

23 of megabytes, is necessary. However, physical verification of such a large quantity 

24 of physical devices is not practical, and has thus far been an impediment to creating 

25 sophisticated games with more player appeal. Second, the authentication check is 

26 only conducted on a limited basis (usually after a jackpot) or other significant 

27 winning game outcome, and the authentication procedure requires that game play be 

28 halted until the ROM contents have been found to be authentic. 
29 

30 SUMMARY OF THE INVENTION 

31 The invention comprises an electronic casino gaming system which greatly 

32 expands casino game play capability and enhances security and authentication 

33 capabilities. More particularly, the invention comprises an electronic casino gaming 
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1 system and method having greatly expanded mass storage capability for storing a 

2 multiplicity of high resolution, high sound quality casino type games, and provides 

3 enhanced authentication of the stored game program information with a high security 

4 factor. 



6 data set is carried out within the casino game console using an authentication 

7 program stored in an unalterable ROM physically located within the casino game 

8 console. The casino game data set and a unique signature are stored in a mass 

9 storage device, which may comprise a read only unit or a read/write unit and which 

1 0 may be physically located either within the casino game console or remotely located 

1 1 and linked to the casino game console over a suitable network. The authentication 

12 program stored in the unalterable ROM performs an authentication check on the 

1 3 casino game data set at appropriate times, such as prior to commencement of game 

1 4 play, at periodic intervals or upon demand. At appropriate occasions, the contents of 

15 the unalterable ROM can be verified by computing the message digest of the 

16 unalterable ROM contents and comparing this computed message digest with a 

1 7 securely stored copy of the message digest computed from the ROM contents prior 

18 to installation in the casino game console. 

1 9 From a process standpoint, this aspect of the invention comprises a method 

20 of authenticating a data set of a casino style game which consists of two phases: a 

21 game data set preparation phase and a game data set checking phase. In the game 

22 data set preparation phase, the method proceeds by providing a data set for a casino 

23 game, computing a first abbreviated bit string unique to the casino game data set, 

24 encrypting the first abbreviated bit string to provide an encrypted signature of the 

25 casino game data set, and storing the casino game data set and the signature in a 

26 mass storage device. The first abbreviated bit string is preferably computed using a 

27 hash function to produce a message digest of the casino game data set. The signature 

28 is then encrypted from the message digest. After storage of the game data set and 

29 unique signature, this information is installed in a casino game console. The casino 

30 game data set checking phase proceeds by computing a second abbreviated bit string 

3 1 from the stored casino game data set using the same hash function, decrypting the 

32 stored encrypted signature to recover the first abbreviated bit string, and comparing 

33 the first and second abbreviated bit strings to determine whether the two strings 
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According to a first aspect of the invention, authentication of a casino game 
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match. If a match does occur, the casino game data set is deemed authentic; if there 
is no match, authentication is denied and game play is prohibited. 

The encryption/decryption process is preferably performed using a private 
key/public key technique in which the first abbreviated bit string is encrypted by the 
game manufacturer using a private encryption key maintained in the custody of the 
game manufacturer. The decryption of the signature is performed using a public key 
which is contained in an unalterable read only memory element located in the game 
console, along with the casino game data set. The casino game data set is preferably 
stored in a mass storage device, such as a magnetic or CD-ROM disk drive unit or 
a network file unit, the selected unit having a relatively large capacity. The actual 
size of the mass storage device will depend upon the casino game storage 
requirements and can be tailored to any specific application. 

Each time a casino game data set is transferred from the mass storage device 
to the main memory of the system, the authentication routine is run. The 
authentication routine can also be means of an operator switch mounted in the game 
console or remotely via a network. Consequently, the authenticity of the data set can 
be automatically checked whenever the transfer occurs and at other appropriate times. 

In order to detect attempts to tamper with the contents of the unalterable read 
only memory element located in the game console, a message digest computed for 
the authentication program stored therein is stored in a secure manner in a different 
location from the game console, such as the casino operator's security facilities or 
the facilities of a gaming commission (or both). The authenticity of the unalterable 
read only memory element is checked in the same way as that now performed in 
prior art devices: viz. computing the message digest directly from the unalterable 
read only memory device, and comparing the message digest thus computed with the 
custodial version. 

From an apparatus standpoint, the first aspect of the invention comprises an 
electronic casino gaming system having means for providing authentication of a 
game data set of a casino type game prior to permitting game play, the system 
including first means for storing a casino game data set and a signature of the casino 
game data set, the signature comprising an encrypted version of a unique first 
abbreviated bit string computed from the casino game data set; second means for 
storing an authentication program capable of computing a second abbreviated bit 
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1 string from the casino game data set stored in the first storing means and capable of 

2 decrypting the encrypted signature stored in the first storing means to recover the 

3 first abbreviated bit string; processing means for enabling the authentication program 

4 to compute an abbreviated bit string from the casino game data set stored in the first 

5 storing means and for enabling the authentication program to decrypt the encrypted 

6 signature; and means for comparing the computed second abbreviated bit string with 

7 the decrypted abbreviated bit string to determine whether a match is present. The 

8 first storing means preferably comprises a mass storage device, such as a disk drive 

9 unit, a CD-ROM unit or a network storage unit. The second storing means preferably 

10 comprises an unalterable read only memory in which the authentication program is 

1 1 stored. 

12 According to a second aspect of the invention, the authentication program 

1 3 stored in the unalterable ROM located within the casino game console is used to test 

1 4 the authenticity of all other programs and fixed data stored in memory devices in the 

15 electronic casino gaming system, such as a system boot ROM, memory devices 

16 containing the operating system program, system drivers and executive/loader 

17 programs, and other memory devices incorporated into the electronic casino game 

18 system architecture. The contents of each such memory device, whether program 

19 information or fixed data, include signatures encrypted from message digests 

20 computed using a hash function from the original program information or fixed data 

21 set. Upon system initialization, the authentication program in the unalterable ROM 

22 is used to authenticate the individual memory device contents in essentially the same 

23 fashion as that used to authenticate the casino game data sets. More specifically, the 

24 message digest for the given program or fixed data set is computed using the same 

25 hash function originally used to produce the message digest for that program or fixed 

26 data set. The encrypted signature is decrypted using the proper decryption program 

27 and decryption key to recover the message digest. The two versions of the message 

28 digest are then compared and, if found to be matching, the concerned program or 

29 fixed data set is deemed authentic and is permitted to be used by the system. Once 

30 all of the concerned programs and fixed data sets have been so authenticated, the 

31 casino game data set authentication procedure is run, after which game play is 

32 permitted (provided a match occurs). 
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From a process standpoint, this second aspect of the invention comprises a 
method of authenticating a program or data set of a casino style game which consists 
of two phases: a program or fixed data set preparation phase, and a program or fixed 
data set checking phase. In the program or fixed data set preparation phase, the 
method proceeds by providing a program or fixed data set for a casino game, 
computing a first abbreviated bit string unique to the program or fixed data set, 
encrypting the first abbreviated bit string to provide an encrypted signature of the 
program or fixed data set, and storing the program or fixed data set and the signature 
in a memory device. The first abbreviated bit string is preferably computed using a 
hash function to produce a message digest of the program or fixed data set. The 
signature is then encrypted from the message digest. After storage of the program or 
fixed data set and unique signature in the memory device, the memory device is 
installed in a casino game console. The casino game program or fixed data set 
checking phase proceeds by computing a second abbreviated bit string from the 
stored casino game program or fixed data set stored in the memory device using the 
same hash function, decrypting the encrypted signature stored in the memory device 
to recover the first abbreviated bit string, and comparing the first and second 
abbreviated bit strings to determine whether the two strings match. If a match does 
occur, the casino game program or fixed data set is deemed authentic; if there is no 
match, authentication is denied and use of that casino game program or fixed data 
set is prohibited. 

The authentication routine is run each time a given casino game program or 
fixed data set needs to be called or used. The authentication routine can also be run 
automatically on a periodic basis, or on demand either locally by means of an 
operator switch mounted in the casino game console or remotely via a network. 
Consequently, the authenticity of the casino game program or fixed data set can be 
automatically checked whenever use of that program or fixed data set is required and 
at other appropriate times, such as in the course of a gaming commission audit. 

From an apparatus standpoint, this second aspect of the invention comprises 
an electronic casino gaming system for providing authentication of a casino game 
program or fixed data set prior to permitting system use of that casino game program 
or fixed data set, the system including first means for storing a casino game program 
or fixed data set and a signature of the casino game program or fixed data set; the 
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1 signature comprising an encrypted version of a unique first abbreviated bit string 

2 computed from the casino game program or fixed data set; second means for storing 

3 an authentication program capable of computing a second abbreviated bit string from 

4 the casino game program or fixed data set stored in the first storing means and 

5 capable of decrypting the encrypted signature stored in the first storing means to 

6 recover the first abbreviated bit string; processing means for enabling the 

7 authentication program to compute an abbreviated bit string from the casino game 

8 program or fixed data set stored in the first storing means and for enabling the 

9 authentication program to decrypt the encrypted signature; and means for comparing 

1 0 the computed second abbreviated bit string with the decrypted abbreviated bit string 

11 to determine whether a match is present. The first storing means preferably 

12 comprises a memory device, such as a read only memory or random access memory. 

1 3 The second storing means preferably comprises an unalterable read only memory in 

14 which the authentication program is stored. 

1 5 Electronic casino game systems incorporating the invention provide a vastly 

1 6 expanded capacity for more sophisticated and attractive casino-style games, while at 

17 the same time improving the authentication of the games without compromising 

1 8 security. In addition, casino game systems incorporating the invention provide great 

19 flexibility in changing casino game play, since the casino game data sets representing 

20 the various games can be stored in alterable media rather than read only memory 

21 units as with present casino game systems. 

22 By separating the authentication process from the casino game data set 

23 storage, the invention affords secure distribution and execution of program code and 

24 data, regardless of the particular distribution or storage technique employed. More 

25 specifically, the invention allows the casino game data set to reside in any form of 

26 secondary storage media, such as the traditional ROM storage, hard magnetic disk 

27 drives and CD-ROM drives, or networked file systems. So long as the authentication 

28 procedure conducted on the game data set is performed using the authentication 

29 program stored in an unalterable ROM, and so long as that ROM can be verified 

30 reliably, any casino game data set can be loaded from any source and can be verified 

31 by the system at any time: either prior to use, during run-time, periodically during 

32 run-time or upon demand. The large quantities of storage that can be made available 

33 in a secure fashion using the invention, facilitates the creation of casino gaming 



3 



WO 97/01902 




-8- 




CIYUS96/10463 



1 systems offering both an increased diversity of games, and individual games of 

2 superior quality. In addition, the authentication of all casino game program and fixed 

3 data software ensures the integrity of all system software both prior to game play and 

4 thereafter at periodic or random intervals. 

5 For a fuller understanding of the nature and advantages of the invention, 

6 reference should be had to the ensuing detailed description taken in conjunction with 

7 the accompanying drawings. 
8 

9 BRIEF DESCRIPTION OF THE DRAWINGS 

1 0 FIG. 1 is a block diagram of a system incorporating the invention; 

11 FIG. 2 is a schematic diagram illustrating the contents of the read only 

12 memory and the mass storage device; 

13 FIG. 3 is a more detailed schematic view of the authentication program stored 

14 in the ROM and the game data stored in the mass storage unit; 

15 FIG. 4 is a diagram illustrating the preparation of the game data set; 

1 6 FIG. 5 is a diagram illustrating the authentication procedure for the game data 

17 set; and 

1 8 FIG. 6 is a diagram illustrating an alternative approach to the secure loading 

19 of software into the system. 
20 

21 DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS 

22 Turning now to the drawings, FIG. 1 is a block diagram of an electronic 

23 casino gaming system incorporating the invention. As seen in this figure, the system 

24 consists of several system components under software control. These system 

25 components include a microprocessor 12, which may comprise any general purpose 

26 microprocessor, such as a Pentium-based microprocessor from Intel Corporation. A 

27 main memory unit 13 is provided, which is typically a random access memory 

28 having a capacity of between 32 and 64 megabytes for storing the majority of 

29 programs and graphics elements during game play. A system boot ROM 14 provides 

30 the initialization software required when power is first applied to the system. ROM 

31 14 contains additional programs in read only form, including the operating system, 

32 related drivers and the authentication software described in detail below. A non- 
33 volatile RAM 17 is a battery backed static RAM capable of maintaining its contents 
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1 through power cycling. NV RAM 1 7 stores significant information relating to game 

2 play, such as the number of player credits, the last game outcome and certain 

3 diagnostic and error information not critical to an understanding of the invention. 

4 A mass storage unit implemented in the Fig. 1 system as a magnetic hard disk 

5 drive unit 18 is coupled to and controlled by a disk subsystem 19 of conventional 

6 design and operation. Disk drive unit 1 8 provides storage for the game specific data 

7 set, which includes both program data and image data specifying the rules of the 

8 various different casino games or single casino game variations, and the types of 

9 images and image sequences to be displayed to the game players. The size of the 

10 disk drive unit 18 is a function of the number of games and game variations 

1 1 provided for a given system, as well as the amount of data required for each specific 

12 game. In general, the more motion video designed into a particular casino game, the 

1 3 more storage required for that casino game software. A disk drive unit 1 8 with a 4- 

14 gigabyte capacity will usually provide sufficient storage capacity. Disk subsystem 19 

1 5 comprises a disk controller connected to a PCI bus 20 for controlling the disk drive 

16 unit 18. Controller 19 preferably supports SCSI-2, with options of fast and wide. It 

1 7 should be noted that a number of different types of locally-based disk drive units 

1 8 may be used in the Fig. 1 system, including a CD-ROM storage unit. Also, the mass 

1 9 storage unit need not be physically located within the game console along with the 

20 other elements depicted in Fig. 1: the mass storage unit may be located remotely 

21 from the game console and coupled thereto by means of an appropriate network, 
.22 such as an ethernet, an R5232 link, or some other hard-wired or wireless network 

23 link. This latter alternate arrangement is indicated by the inclusion of a network 

24 subsystem 21 of appropriate configuration and functional characteristics, which may 

25 have ethernet, R5232 serial, or other network compatibility. 

26 A video subsystem 22 is coupled to the PCI bus and provides the capability 

27 of displaying full color still images and MPEG movies with a relatively high frame 

28 rate (e.g. 30 frames per second) on an appropriate monitor (not shown). Optional 3D 

29 texture mapping may be added to this system, if desired. 

30 A sound subsystem 23 having a stereo sound playback capability with up to 

31 16 bit CD quality sound is coupled to an ISA bus 24. A general purpose 

32 input/output unit 25 provides interfaces to the game mechanical devices (not 

33 illustrated) such as manually actuatable switches and display lights. A first bridge 
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1 circuit 27 provides an interface between microprocessor 12, ROM 14, main memory 

2 13 and PCI bus 20. Bridge circuit 27 is preferably a TRITON chip set available from 

3 INTEL Corporation. A second bridge circuit 28 provides an interface between the 

4 PCI bus 20 and the ISA bus 24. Bridge circuit 28 is preferably a type 82378 chip 

5 available from Intel Corporation. 

6 Fig. 2 illustrates the types of information stored in the system ROM 14 and 

7 the mass storage unit. As seen in Fig. 2, the ROM unit 14 used in the Fig. 1 system 

8 comprises two separate ROM elements: ROM 29 and ROM 30. ROM 29 must be an 

9 unalterable device, such as a Toshiba type C53400 512Kx8 bit mask programmed 

10 ROM. ROM 30 is preferably an unalterable device like ROM 29, but may comprise 

1 1 a different type of ROM, such as a type 29FO40 field programmable flash ROM 

12 available from Intel Corp. ROM 29 contains the system initialization or boot code, 

1 3 an authentication program, a random number generator program and an initial portion 

14 of the executive/loader programs. ROM 30 contains the operating system program, 

15 the system drivers and the remainder of the executive/loader programs as noted 

16 below. The mass storage unit contains the applications, which include the game 

1 7 image and sound data, rules of game play and the like, and the signature associated 

18 to each particular casino game. 

19 Fig. 3 illustrates the authentication and application program information in 

20 more detail. As seen in this figure, the authentication program stored in unalterable 

21 ROM 29 comprises a message digest algorithm component 32, a decryption 

22 algorithm component 33, and a decryption key component 34. The message digest 

23 algorithm component 32 stored in ROM 29 comprises an exact copy of a hash 

24 function program routine used to originally compute a message digest from the 

25 loadable game data set 36 in the manner described below. The decryption algorithm 

26 component 33 stored in ROM 29 comprises the algorithm required to decrypt any 

27 encrypted casino game data set signature using the decryption key component 34. 

28 The decryption key component 34 comprises the decryption key that is 

29 required to decrypt any of the encrypted signatures 37 in the manner described below 

30 during the authentication routine. 

31 Fig. 4 illustrates the manner in which an encrypted data set signature 37 is 

32 generated. A loadable casino game data set 36 is processed using a hash function 41 

33 to generate a message digest 42 which is unique to the loadable game data set 36. 

// 



WO 97/01902 



-11- 



CT/US96/10463 



1 The hash function employed may be one of a number of known hash functions, such 

2 as the MD2, MD4, and MD5 hash functions and the SHS hash function; or any other 

3 suitable hash function capable of producing a unique abbreviated bit string from a 

4 variable size input data set. For further information about these hash functions, 

5 reference should be had to the publication entitled "Answers To Frequently Asked 

6 Questions About Today's Cryptography", Revision 2.0, October 5, 1993, published 

7 by RSA Laboratories, Redwood City, California, and the publications listed in the 

8 references section thereof, the disclosures of which are hereby incorporated by 

9 reference. After generation, the message digest 42 is then encrypted with an 

10 encryption algorithm 43 using a private encryption key 44 to generate a signature 37 

11 of the message digest. In the preferred embodiment, the two-key (private/public key) 

12 encryption technique developed by RSA Data Security, Inc., of Redwood City, 

13 California, is used. This technique is disclosed and described in U.S. Patent Nos. 

14 4,200,770, 4,21 8,582 and 4,405,829, the disclosures of which are hereby incorporated 

15 by reference. The signature 37 of the message digest 42 is then stored in the mass 

16 storage unit along with the loadable data set 36. 

17 Fig. 5 illustrates the authentication routine carried out in accordance with the 

1 8 invention, when the authentication routine is called (see below), the loadable casino 

19 game data set 36 is transferred from the mass storage unit to main memory 13 

20 (unless already there), and the message digest of casino game data set 36 is 

21 computed using the message digest algorithm 32. Message digest algorithm 32 uses 

22 the same hash function 41 as that used by the manufacturer to prepare the original 

23 message digest 42. The result is an unencrypted version 46 of the message digest 

24 computed from the casino game data set 36 currently present in the mass storage 

25 unit. The encrypted data set signature 37 is decrypted using the public decryption key 

26 34 matching the private key 44 used to originally encrypt the message digest 42 of 

27 the casino game data set 36. The message digest 47 decrypted with decryption key 

28 34 is then compared with the message digest 46 computed from the casino game data 

29 set 36. If the two message digests match, then the casino game data set 36 is deemed 

30 authentic and game play may proceed. If there is no match, either the casino game 

31 data set 36 or the signature 37 is deemed corrupted and not authentic. Game play is 

32 prohibited and appropriate actions can be taken: e.g. alerting a security employee 



-12- 

1 using a suitable messaging system (an audible alarm, flashing lights, or a network 

2 message from the game console to a central security area). 

3 In order to ensure that the authentication routine cannot be bypassed by 

4 tampering with the loader program stored in ROM 30, an initial part of the loader 

5 program is incorporated into unalterable ROM 29. This initial portion of the loader 

6 program requires that the authentication program be called prior to the initiation of 

7 any casino game play. Since this initial portion of the loader program is located in 

8 the unalterable ROM 29, and since no casino game play can occur until the particular 

9 casino game application data set 36 is loaded into main memory 13, the 

1 0 authentication procedure cannot be bypassed by tampering with the software stored 

1 1 in ROM 30. 

12 Since authentication of the game data set 36 and signature 37 is entrusted to 

13 the contents of ROM 29, a procedure must be provided to verify the ROM 29 

14 contents. For this purpose, a message digest is computed for the authentication 

15 program stored in ROM 29, and this message digest is stored in a secure manner 

16 with the casino operator or the gaming commission (or both) along with the hash 

17 function used to produce the message digest. This hash function may be the same 

1 8 hash function used to compute the message digest 42 of the casino game data set or 

19 a different hash function. In this way, the authenticity of the ROM 29 can be easily 

20 checked in the same way as that now performed in prior art devices: viz. computing 

21 the message digest directly from the ROM 29 and comparing the message digest thus 

22 computed with the custodial version of the message digest. If required by a given 

23 gaming commission or deemed desirable by a casino operator, the system may also 

24 display the message digest 42 of each particular data set 36 or the encrypted 

25 signature version 37 for auditing purposes. In addition, the system may transmit this 

26 information via networking subsystem 21 to an on-site or off- site remote location 

27 (such as the office of the gaming commission). The message digest displayed or 

28 transmitted may comprise the decrypted version or the computed version (or both). 

29 The authentication procedure carried out by means of the message digest 

30 program 32, decryption program 33 and decryption key 34 stored in unalterable 

3 1 ROM 29 in the manner described above is also used to authenticate the contents of 

32 all memory devices in the Fig. 1 system, such as the contents of ROM 30 (see Fig. 

33 2), the fixed data portions and program components stored in NV RAM 17 and the 
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1 program and fixed data contents of any memory devices stored in the networking 

2 subsystem 21, video subsystem 22, sound subsystem 23, PCI-ISA interface 24, and 

3 GPIO unit 25. Each program or fixed data set stored in any memory device in any 

4 of these units has an associated signature, which is encrypted from a message digest 

5 of the original program or fixed data set using a hash function, which is preferably 

6 the same hash function used to prepare the message digest of the casino game data 

7 set. Prior to permitting any such program or fixed data set to participate in the 

8 system operation, that program or fixed data set is subjected to the authorization 

9 procedure to ensure that the message digest computed from the current version of the 

1 0 program or fixed data set matches the message digest decrypted from the encrypted 

1 1 signature associated to the program or fixed data set. In addition, the authentication 

1 2 procedure can be run on each such program or fixed data set at periodic or random 

1 3 intervals (on demand) in a manner essentially identical to that described above with 

14 respect to the casino game data set authentication procedure. As a consequence, the 

1 5 integrity of all software in the system is checked prior to the use of that particular 

1 6 software in order to reveal any unauthorized changes to the software portion of the 

17 casino gaming system. 

1 8 An alternative approach to the secure loading of software into the system is 

19 depicted in FIG. 6. In this embodiment the basic input/output system (BIOS) 

20 software is stored in a ROM 50, the first of two ROMs making up the system boot 

21 ROM 14 (FIG. 1). The boot strap code, operating system code (OS), OS drivers and 

22 a secure loader are stored in a second ROM 52. An anchor application 54 including 

23 graphics and sound drivers, system drivers, money-handling software, a second 

24 secure loader, and a signature is stored in the mass storage 18 (FIG. 1). 

25 When power is initially applied to the system on start-up, or when the system 

26 experiences a warm restart, the CPU 12 will begin executing code from the BIOS 

27 ROM 50. The BIOS is responsible for initializing the motherboard and peripheral 

28 cards of the system. After the BIOS has completed the initialization, it jumps to the 

29 boot strap code in ROM 252 causing the boot strap to copy the OS, OS drivers, and 

30 the secure loader into RAM. 

3 1 Once in RAM, the OS is started and the secure loader stored in ROM 52 is 

32 used to load the anchor application 54 from disk 18. On disk, the anchor application 

if 
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has a signature that is used during the load to verify the validity of the anchor 
application. 

After the anchor application 54 is started, it will be used to load all other 
applications. The secure loader of the anchor application will check the validity of 
an application to be loaded by computing the signature and comparing it against the 
one stored on disk with the application as described above. 

An important advantage of the invention not found in 20 prior art systems 
is the manner in which the casino game data set can be authenticated. In prior art 
systems, authentication of the casino game data set is normally only done when a 
payout lying above a given threshold is required by the outcome of the game play, 
and this requires that the game be disabled while the ROM is physically removed and 
the ROM contents are verified. In systems incorporating the invention, the 
authenticity of a given casino game data set can be checked in a variety of ways. For 
example, the game data set 36 can be automatically subjected to the authentication 
procedure illustrated in Fig. 5 each time the game is loaded from the mass storage 
unit into the main memory 1 3 . Thus, as a player selects a casino game for game play 
in the system, the authenticity of that game actually stored in the mass storage unit 
is automatically checked using the authentication procedure described above without 
removing the ROM 29. Further, if desired, the authentication procedure may be 
initiated in response to the pull of a slot game handle, the detection of a coin insert, 
the payout of coins or issuing of credit, or any other detectable event related to game 
play. The authenticity of a given casino game data set 36 can also be checked on 
demand, either locally at the game console or remotely via a network, by providing 
a demand procedure. Such a procedure may be initiated, e.g. by providing a 
manually operable switch in the game console, accessible only to authorized persons, 
for initiating the authentication routine. Alternatively, the Fig. 1 system may be 
configured to respond to a demand command generated remotely (e.g. in a security 
area in the casino or off-site) and transmitted to the game console over a network to 
the networking subsystem 21. 

Another advantage of the invention lies in the fact that the game data set 
storage capacity of a system incorporating the invention is not limited by the size of 
a ROM, but is rather dictated by the size of the mass storage unit. As a consequence, 
games using high resolution, high motion video and high quality stereo sound can 
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1 be designed and played on systems incorporating the invention. Also, since the mass 

2 storage unit need not be a read-only device, and need not be physically located in the 

3 game console, the invention affords great flexibility in game content, scheduling and 

4 changes. For example, to change the graphic images in a particular casino game or 

5 set of games, new casino game data sets can be generated along with new signatures 

6 and stored in the mass storage unit by either exchanging disk drives, replacing disks 

7 (for read only disk units), or writing new data to the media. In the networked mass 

8 storage application, these changes can be made to the files controlled by the network 

9 file server. Since the casino game data sets must pass the authentication procedure 

1 0 test, either periodically or on demand, corrupted data sets cannot go undetected. Thus 

11 the invention opens up the field of electronic casino gaming systems to readily 

12 modifiable games with flexible displays and rules, without sacrificing the essential 

13 security of such systems. In fact, security is greatly enhanced by the ability of the 

1 4 invention to authenticate all game data sets both regularly (for each handle pull) and 

15 at any time (on demand), without interfering with regular game play (unless no 

16 match occurs between the two forms of message digest). 

17 While the. above provides a full and complete disclosure of the preferred 

18 embodiments of the invention, various modifications, alternate constructions and 

1 9 equivalents may be employed without departing from the true spirit and scope of the 

20 invention. For example, while the RSA public/private key encryption technique is 

21 preferred (due to the known advantages of this technique), a single, private key 

22 encryption technique may be employed, if desired. In a system using this technique, 

23 the single key would be stored in ROM 29 in place of the public key 34. Also, the 

24 message digest 42 and signature 37 for a given application 36 need not be computed 

25 from the entire casino game data set. For example, for some casino games it may be 

26 desirable to provide a fixed set of rules while permitting future changes in the casino 

27 game graphics, sound or both. For such casino games, it may be sufficient to 

28 compute the message digest 42 and signature 37 from only the rules portion of the 

29 applications program 36. In other cases, it may be desirable or convenient to 

30 maintain the casino game video and audio portions constant, while allowing future 

31 changes to the rules of game play. For casino games of this category, the message 

32 digest 42 and signature 37 may be computed from the graphics and sound portions 

33 of the application program 36. It may also be desirable to compute a message digest 

16 
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1 42 and signature 37 from a subset of the rules, graphics or sound portions of a given 

2 applications program 36, or from some other subset taken from a given applications 

3 program 36. Therefore, the above should not be construed as limiting the scope of 

4 the invention, which is defined by the appended claims. 



